Denial Of Service Attacks - Revision history

Frostd at 22:29, 12 April 2009

2009-04-12T22:29:42Z

← Older revision		Revision as of 22:29, 12 April 2009
Line 54:		Line 54:

	== References ==		== References ==
-	# ~~Types of DDoS Attacks. Retrieved April 11, 2009, from~~ http://anml.iu.edu/ddos/types.html	+	# [http://anml.iu.edu/ddos/types.html Types of DDoS Attacks]. Retrieved April 11, 2009
-	~~# CERT/CC Denial~~ of ~~Service~~. Retrieved April 11, 2009~~, from~~ http://www.cert.org/tech_tips/denial_of_service.html	+	# [http://www.cert.org/tech_tips/denial_of_service.html CERT/CC Denial of Service]. Retrieved April 11, 2009
-	~~# Mullen, Ruth. Flood Protection and Ignoring People~~. Retrieved April 11, 2009, ~~from~~ http://www.irchelp.org/irchelp/mirc/flood.html	+	# Mullen, Ruth. [http://www.irchelp.org/irchelp/mirc/flood.html Flood Protection and Ignoring People]. Retrieved April 11, 2009
-	# "Simple Nomad", ~~Strategies for Defeating Distributed Attacks. Retrieved April 11, 2009, from~~ http://www.windowsecurity.com/whitepapers/Strategies_for_Defeating_Distributed_Attacks.html	+	# "Simple Nomad", [http://www.windowsecurity.com/whitepapers/Strategies_for_Defeating_Distributed_Attacks.html Strategies for Defeating Distributed Attacks]. Retrieved April 11, 2009
-	# Parks, J. (2008, August 25). ~~DDoS Attack Prevention - The Best Medicine. Retrieved April 12, 2009, from~~ http://ezinearticles.com/?DDoS-Attack-Prevention---The-Best-Medicine&id=1439320	+	# Parks, J. (2008, August 25). [http://ezinearticles.com/?DDoS-Attack-Prevention---The-Best-Medicine&id=1439320 DDoS Attack Prevention - The Best Medicine]. Retrieved April 12, 2009
-	# Plonka, Dave. (August 21, 2003). Flawed Routers Flood University of Wisconsin Internet Time Server. Retrieved April 12, 2009, ~~from~~ http://~~pages~~.cs.~~wisc.edu~~/~~~plonka~~/~~netgear~~-~~sntp~~/	+	# Plonka, Dave. (August 21, 2003). [http://pages.cs.wisc.edu/~plonka/netgear-sntp/ Flawed Routers Flood University of Wisconsin Internet Time Server]. Retrieved April 12, 2009
-	~~# Manzano, Yanet~~. Tracing the Development of Denial of Service Attacks: A Corporate Analogy. Retrieved April 12, 2009, ~~from~~ http://~~www~~.~~acm~~.~~org~~/~~crossroads~~/~~xrds10-1~~/~~tracingDOS.html~~	+	# Manzano, Yanet. [http://www.acm.org/crossroads/xrds10-1/tracingDOS.html Tracing the Development of Denial of Service Attacks: A Corporate Analogy]. Retrieved April 12, 2009
-	~~# Dittrich, David~~. The "stacheldraht" distributed denial of service attack tool. Retrieved April 12, 2009~~, from http://staff.washington.edu/dittrich/misc/stacheldraht.analysis~~	+	# Dittrich, David. [http://staff.washington.edu/dittrich/misc/stacheldraht.analysis The "stacheldraht" distributed denial of service attack tool]. Retrieved April 12, 2009

	== External links ==		== External links ==

Frostd at 21:59, 12 April 2009

2009-04-12T21:59:49Z

← Older revision		Revision as of 21:59, 12 April 2009
Line 66:		Line 66:
	* [http://en.wikipedia.org/wiki/Denial-of-service_attack Denial-of-service Attacks]		* [http://en.wikipedia.org/wiki/Denial-of-service_attack Denial-of-service Attacks]

-	--[[User:Frostd\|Frostd]] 17:32, 3 April 2009 (EDT)	+	--[[User:Frostd\|Frostd]] 17:59, 12 April 2009 (EDT)

Frostd at 21:59, 12 April 2009

2009-04-12T21:59:08Z

← Older revision		Revision as of 21:59, 12 April 2009
Line 24:		Line 24:
	[[Image:DOS_Model.gif\|thumb\|right\|400px\|The three main types of DoS attack]]		[[Image:DOS_Model.gif\|thumb\|right\|400px\|The three main types of DoS attack]]

-	~~Distributed~~ DoS attacks ~~etc~~.	+	A distributed denial of service attack (DDoS) is a much more powerful form of the traditional DoS attack. In this form of the attack multiple compromised computers (also known as slaves) are used to proform the attacks noted above. Capturing the computers to do such an attack is done through viruses and malware. Both may be designed so that all of the machines are triggered at a specific date and time. Alternatively the master system could have has more specific and varied control over them. There are many DDoS tools that can be used to both run through lists of exploits to aquire new slaves as well as to control the slaves. A collected group of compermised computers are often called [[Bots & Botnets]]. Stacheldraht is a classic example of a control program that may be used to control multiple master systems at once which in turn control all of the slaved machines. <sup>[8]</sup>
		+
		+	The primary difference and advantage of DDoS is that DoS only makes use of one computer while DDoS uses many computer to complete a task. Because so many more computers are involved these attacks can be much harder to stop and also harder to detect because more focus can be put on staying hidden instead of getting the maxium power out of a single machine. They attacks are also much more powerful and often involve hundreds or even thousands of computers.<sup>[7]</sup>

	=== Unintentional attack ===		=== Unintentional attack ===
Line 49:		Line 51:
	* [[ping]]		* [[ping]]
	* [[Smurfing]]		* [[Smurfing]]
		+	* [[Bots & Botnets]]

	== References ==		== References ==
Line 58:		Line 61:
	# Plonka, Dave. (August 21, 2003). Flawed Routers Flood University of Wisconsin Internet Time Server. Retrieved April 12, 2009, from http://pages.cs.wisc.edu/~plonka/netgear-sntp/		# Plonka, Dave. (August 21, 2003). Flawed Routers Flood University of Wisconsin Internet Time Server. Retrieved April 12, 2009, from http://pages.cs.wisc.edu/~plonka/netgear-sntp/
	# Manzano, Yanet. Tracing the Development of Denial of Service Attacks: A Corporate Analogy. Retrieved April 12, 2009, from http://www.acm.org/crossroads/xrds10-1/tracingDOS.html		# Manzano, Yanet. Tracing the Development of Denial of Service Attacks: A Corporate Analogy. Retrieved April 12, 2009, from http://www.acm.org/crossroads/xrds10-1/tracingDOS.html
		+	# Dittrich, David. The "stacheldraht" distributed denial of service attack tool. Retrieved April 12, 2009, from http://staff.washington.edu/dittrich/misc/stacheldraht.analysis

	== External links ==		== External links ==

Frostd: /* Firewalls */

2009-04-12T21:07:30Z

Firewalls

← Older revision		Revision as of 21:07, 12 April 2009
Line 36:		Line 36:
	=== Firewalls ===		=== Firewalls ===

-	Common firewalls are not well suited to handle DoS attacks except by taking extreme measures. It does not take a very sophisticated defense to simply drop certain types of packets that are received. The Linux command iptables can be used to manually set the firewall rules that would partially protect a system from a DoS attack. An issue with extreme measures like blocking ICMP messages so that you are not vulnerable to ICMP flooding is that you losing a lot of functionality that comes with the protocol. This could be taken to an extreme of crippling a system by not allowing TCP or UDP packets to reach it. Even by taking steps to limit traffic other areas may still be left vulnerable most notably routers leading to the system.	+	Common firewalls are not well suited to handle DoS attacks except by taking extreme measures. It does not take a very sophisticated defense to simply drop certain types of packets that are received. The Linux command iptables can be used to manually set the firewall rules that would partially protect a system from a DoS attack. An issue with extreme measures like blocking ICMP messages so that you are not vulnerable to ICMP flooding is that you losing a lot of functionality that comes with the protocol. This could be taken to an extreme of crippling a system by not allowing TCP or UDP packets to reach it. Even by taking steps to limit traffic other areas may still be left vulnerable most notably routers leading to the system.<sup>[4]</sup>

	A few modern firewalls such as [http://en.wikipedia.org/wiki/Cisco_PIX Cisco PIX] have taken steps to help differentiate between good TCP traffic and malicious traffic.		A few modern firewalls such as [http://en.wikipedia.org/wiki/Cisco_PIX Cisco PIX] have taken steps to help differentiate between good TCP traffic and malicious traffic.

Frostd: /* Distributed attack */

2009-04-12T20:17:12Z

Distributed attack

← Older revision		Revision as of 20:17, 12 April 2009
Line 22:		Line 22:

	=== Distributed attack ===		=== Distributed attack ===
		+	[[Image:DOS_Model.gif\|thumb\|right\|400px\|The three main types of DoS attack]]
		+
		+	Distributed DoS attacks etc.

	=== Unintentional attack ===		=== Unintentional attack ===

Frostd at 20:10, 12 April 2009

2009-04-12T20:10:41Z

← Older revision		Revision as of 20:10, 12 April 2009
Line 32:		Line 32:

	=== Firewalls ===		=== Firewalls ===
		+
		+	Common firewalls are not well suited to handle DoS attacks except by taking extreme measures. It does not take a very sophisticated defense to simply drop certain types of packets that are received. The Linux command iptables can be used to manually set the firewall rules that would partially protect a system from a DoS attack. An issue with extreme measures like blocking ICMP messages so that you are not vulnerable to ICMP flooding is that you losing a lot of functionality that comes with the protocol. This could be taken to an extreme of crippling a system by not allowing TCP or UDP packets to reach it. Even by taking steps to limit traffic other areas may still be left vulnerable most notably routers leading to the system.
		+
		+	A few modern firewalls such as [http://en.wikipedia.org/wiki/Cisco_PIX Cisco PIX] have taken steps to help differentiate between good TCP traffic and malicious traffic.

	=== Switches and Routers ===		=== Switches and Routers ===

-	~~=== Application Level ===~~	+	Most switches and routers have some options in limiting the amount of information that is allowed through device and access control list features. For switches this may include automatic traffic limiting, delayed binding when dealing with TCP, deep packet inspection and the ability to identify bogus IP addresses. The obvious disadvantage to having many features like this turned on is that the router or switch takes a large performance hit since each packet has to be closely inspected before it is allowed past.

	== See also ==		== See also ==
Line 50:		Line 54:
	# Parks, J. (2008, August 25). DDoS Attack Prevention - The Best Medicine. Retrieved April 12, 2009, from http://ezinearticles.com/?DDoS-Attack-Prevention---The-Best-Medicine&id=1439320		# Parks, J. (2008, August 25). DDoS Attack Prevention - The Best Medicine. Retrieved April 12, 2009, from http://ezinearticles.com/?DDoS-Attack-Prevention---The-Best-Medicine&id=1439320
	# Plonka, Dave. (August 21, 2003). Flawed Routers Flood University of Wisconsin Internet Time Server. Retrieved April 12, 2009, from http://pages.cs.wisc.edu/~plonka/netgear-sntp/		# Plonka, Dave. (August 21, 2003). Flawed Routers Flood University of Wisconsin Internet Time Server. Retrieved April 12, 2009, from http://pages.cs.wisc.edu/~plonka/netgear-sntp/
		+	# Manzano, Yanet. Tracing the Development of Denial of Service Attacks: A Corporate Analogy. Retrieved April 12, 2009, from http://www.acm.org/crossroads/xrds10-1/tracingDOS.html

	== External links ==		== External links ==

Frostd at 18:57, 12 April 2009

2009-04-12T18:57:43Z

← Older revision		Revision as of 18:57, 12 April 2009
Line 11:		Line 11:
	=== ICMP flood ===		=== ICMP flood ===

-	There are two basic ways that ~~the~~ [[~~Internet Control Message Protocol~~]] is used to deny service. The first is by flooding the target with [[ping]] messages until they are overwhelmed by trying to send responses and are slowed down. This can be done in either a very simple way that's only requirement is that you have more bandwidth than the target you are attacking or in a more complex way such as [[Smurfing]] or the Smurf Attack which exploits poorly configured network devices allow packets to be sent to all other hosts on a network using the broadcast address. The other way is called a often called a nuke and the most popular example is called the [http://en.wikipedia.org/wiki/Ping_of_death Ping of Death] which sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to target. Because of the size of the packet the target cannot reassemble them. This often causes the system to crash as a result. <sup>[1]</sup>	+	There are two basic ways that [[ICMP]] is used to deny service. The first is by flooding the target with [[ping]] messages until they are overwhelmed by trying to send responses and are slowed down. This can be done in either a very simple way that's only requirement is that you have more bandwidth than the target you are attacking or in a more complex way such as [[Smurfing]] or the Smurf Attack which exploits poorly configured network devices allow packets to be sent to all other hosts on a network using the broadcast address. The other way is called a often called a nuke and the most popular example is called the [http://en.wikipedia.org/wiki/Ping_of_death Ping of Death] which sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to target. Because of the size of the packet the target cannot reassemble them. This often causes the system to crash as a result. <sup>[1]</sup>

	=== TCP SYN Flood Attack ===		=== TCP SYN Flood Attack ===

Frostd at 18:08, 12 April 2009

2009-04-12T18:08:13Z

← Older revision		Revision as of 18:08, 12 April 2009
Line 38:		Line 38:

	== See also ==		== See also ==
		+	* [[Tools for conducting denial-of-service attacks]]
		+	* [[Internet Control Message Protocol]]
		+	* [[ping]]
		+	* [[Smurfing]]

	== References ==		== References ==
Line 48:		Line 52:

	== External links ==		== External links ==
		+	* [http://en.wikipedia.org/wiki/Denial-of-service_attack Denial-of-service Attacks]

	--[[User:Frostd\|Frostd]] 17:32, 3 April 2009 (EDT)		--[[User:Frostd\|Frostd]] 17:32, 3 April 2009 (EDT)

Frostd at 18:02, 12 April 2009

2009-04-12T18:02:33Z

← Older revision		Revision as of 18:02, 12 April 2009
Line 5:		Line 5:
	Goals of the attacks:		Goals of the attacks:

-	- "flood" a network which will prevent legitimate network traffic	+	* "flood" a network which will prevent legitimate network traffic
-	- disrupt connections between two machines, which will prevent access to a service	+	* disrupt connections between two machines, which will prevent access to a service
-	- disrupt the service given to a ~~perticular~~ system or person [2]	+	* disrupt the service given to a particular system or person <sup>[2]</sup>

	=== ICMP flood ===		=== ICMP flood ===

-	There are two basic ways that [[~~ICMP~~]] is used to deny service. The first is by flooding the target with [[ping]] messages until they are overwhelmed by trying to send responses and are slowed down. This can be done in either a very simple way that's only requirement is that you have more bandwidth than the target you are attacking or in a more complex way such as ~~the~~ [[~~Smurf Attack~~]] which exploits poorly configured network devices allow packets to be sent to all other hosts on a network using the broadcast address. The other way is called a often called a nuke and the most popular example is called the [[Ping of Death]] which sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to target. Because of the size of the packet the target cannot reassemble them. This often causes the system to crash as a result. <sup>[1]</sup>	+	There are two basic ways that the [[Internet Control Message Protocol]] is used to deny service. The first is by flooding the target with [[ping]] messages until they are overwhelmed by trying to send responses and are slowed down. This can be done in either a very simple way that's only requirement is that you have more bandwidth than the target you are attacking or in a more complex way such as [[Smurfing]] or the Smurf Attack which exploits poorly configured network devices allow packets to be sent to all other hosts on a network using the broadcast address. The other way is called a often called a nuke and the most popular example is called the [http://en.wikipedia.org/wiki/Ping_of_death Ping of Death] which sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to target. Because of the size of the packet the target cannot reassemble them. This often causes the system to crash as a result. <sup>[1]</sup>

	=== TCP SYN Flood Attack ===		=== TCP SYN Flood Attack ===

-	[~~[TCP~~]~~] connect~~ request packets can be used to attack a target machine by causing the target to create half-open connections and reserve all of the ports on the machine. This is done by attempting to create a regular connection with the target, but never returning anything back to them after they have sent the SYN-ACK packet. Since the process of opening a TCP connect is a three-way handshake this will stall the process while waiting for confirmation from the attacker. Unlike a ICMP flood this attack does not depend on having more bandwidth than the target because there is a relatively small number of ports that have to be reserved.<sup>[1,2]</sup>	+	[http://en.wikipedia.org/wiki/Transmission_Control_Protocol Transmission Control Protocol] connection request packets can be used to attack a target machine by causing the target to create half-open connections and reserve all of the ports on the machine. This is done by attempting to create a regular connection with the target, but never returning anything back to them after they have sent the SYN-ACK packet. Since the process of opening a TCP connect is a three-way handshake this will stall the process while waiting for confirmation from the attacker. Unlike an ICMP flood this attack does not depend on having more bandwidth than the target because there is a relatively small number of ports that have to be reserved.<sup>[1,2]</sup>

	=== Application level floods ===		=== Application level floods ===

-	DoS attacks are not limited to only a server scale. Individual applications on a users machine are also prone to attack depending on the software. [[IRC]] is a very common example of where the various types of attacks used on servers can be seen on a smaller scale. These can include exploits such as buffer overflow which can cause software to get confused and fill disk space or consume all available memory or CPU time. ~~Aswell~~ as the more common types of attack such as flooding.<sup>[3]</sup>	+	DoS attacks are not limited to only a server scale. Individual applications on a users machine are also prone to attack depending on the software. [http://en.wikipedia.org/wiki/IRC IRC] is a very common example of where the various types of attacks used on servers can be seen on a smaller scale. These can include exploits such as buffer overflow which can cause software to get confused and fill disk space or consume all available memory or CPU time. As well as the more common types of attack such as flooding.<sup>[3]</sup>

	=== Distributed attack ===		=== Distributed attack ===
Line 25:		Line 25:
	=== Unintentional attack ===		=== Unintentional attack ===

-	As certain websites on the Internet grew more popular a relatively interesting phenomena started to ~~develope~~ in which websites were unintentionally being attacked by huge spikes in popularity. It is almost always the case that when big and often very popular sites link to small, unknown websites these sites ~~cannnot~~ handle all of the extra traffic and end up under a denial of service like effect. Digg, Slashdot and Fark are prime examples of websites that's only goal is to increase the popularity of other websites and they have gained a ~~repuation~~ for their own related "effects" when any website is posted on them.	+	As certain websites on the Internet grew more popular a relatively interesting phenomena started to develop in which websites were unintentionally being attacked by huge spikes in popularity. It is almost always the case that when big and often very popular sites link to small, unknown websites these sites cannot handle all of the extra traffic and end up under a denial of service like effect. [http://www.digg.com Digg], [http://www.slashdot.org Slashdot] and [http://www.fark.com Fark] are prime examples of websites that's only goal is to increase the popularity of other websites and they have gained a reputation for their own related "effects" when any website is posted on them.

-	Unintentional attacks are not limited to popularity. Routes such as D-Link and Netgear also have a history of flooding [[Network Time Protocol]] servers without the intention of the owner of the router.[6]	+	Unintentional attacks are not limited to popularity. Routes such as D-Link and Netgear also have a history of flooding [http://en.wikipedia.org/wiki/Network_Time_Protocol Network Time Protocol] servers without the intention of the owner of the router.<sup>[6]</sup>

	== Prevention and Protection ==		== Prevention and Protection ==

Frostd at 17:49, 12 April 2009

2009-04-12T17:49:34Z

← Older revision		Revision as of 17:49, 12 April 2009
Line 2:		Line 2:

	== Attack Methods ==		== Attack Methods ==
		+
		+	Goals of the attacks:
		+
		+	- "flood" a network which will prevent legitimate network traffic
		+	- disrupt connections between two machines, which will prevent access to a service
		+	- disrupt the service given to a perticular system or person [2]

	=== ICMP flood ===		=== ICMP flood ===
		+
		+	There are two basic ways that [[ICMP]] is used to deny service. The first is by flooding the target with [[ping]] messages until they are overwhelmed by trying to send responses and are slowed down. This can be done in either a very simple way that's only requirement is that you have more bandwidth than the target you are attacking or in a more complex way such as the [[Smurf Attack]] which exploits poorly configured network devices allow packets to be sent to all other hosts on a network using the broadcast address. The other way is called a often called a nuke and the most popular example is called the [[Ping of Death]] which sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to target. Because of the size of the packet the target cannot reassemble them. This often causes the system to crash as a result. <sup>[1]</sup>
		+
		+	=== TCP SYN Flood Attack ===
		+
		+	[[TCP]] connect request packets can be used to attack a target machine by causing the target to create half-open connections and reserve all of the ports on the machine. This is done by attempting to create a regular connection with the target, but never returning anything back to them after they have sent the SYN-ACK packet. Since the process of opening a TCP connect is a three-way handshake this will stall the process while waiting for confirmation from the attacker. Unlike a ICMP flood this attack does not depend on having more bandwidth than the target because there is a relatively small number of ports that have to be reserved.<sup>[1,2]</sup>

	=== Application level floods ===		=== Application level floods ===
		+
		+	DoS attacks are not limited to only a server scale. Individual applications on a users machine are also prone to attack depending on the software. [[IRC]] is a very common example of where the various types of attacks used on servers can be seen on a smaller scale. These can include exploits such as buffer overflow which can cause software to get confused and fill disk space or consume all available memory or CPU time. Aswell as the more common types of attack such as flooding.<sup>[3]</sup>

	=== Distributed attack ===		=== Distributed attack ===

	=== Unintentional attack ===		=== Unintentional attack ===
		+
		+	As certain websites on the Internet grew more popular a relatively interesting phenomena started to develope in which websites were unintentionally being attacked by huge spikes in popularity. It is almost always the case that when big and often very popular sites link to small, unknown websites these sites cannnot handle all of the extra traffic and end up under a denial of service like effect. Digg, Slashdot and Fark are prime examples of websites that's only goal is to increase the popularity of other websites and they have gained a repuation for their own related "effects" when any website is posted on them.
		+
		+	Unintentional attacks are not limited to popularity. Routes such as D-Link and Netgear also have a history of flooding [[Network Time Protocol]] servers without the intention of the owner of the router.[6]

	== Prevention and Protection ==		== Prevention and Protection ==